In a post on the PlayStation Europe blog, Sony said the credit card information is in a separate database from the user information — names, emails, physical addresses and the like. The credit card data is encrypted, while the user information is not.
"The personal data table, which is a separate data set [from the credit card information], was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack," Sony said.
Encrypted or not, however, Sony says it is not able to rule out the possibility that the credit card information of its users was stolen. That's because the basic user information may be all a hacker would need, considering password and login will get an intruder access to a user's account details, including credit card payment information. Users, however, won't be able to change that information now that the PlayStation Network has been taken offline."